Compliance and Enforcement and Telecom Decision - CRTC 2018-32
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Compliance and Enforcement and Telecom Decision CRTC 2018-32 PDF version References: Compliance and Enforcement and Telecom Notice of Consultation 2017-4, as amended, and Compliance and Enforcement and Telecom Regulatory Policy 2016-442 Ottawa, 25 January 2018 Public record: 1011-NOC2017-0004 and 8665-C12-201507576 Measures to reduce caller identification spoofing and to determine the origins of nuisance calls In Compliance and Enforcement and Telecom Regulatory Policy 2016-442, the Commission indicated that it would initiate a proceeding to review the progress that is being made on caller identification (ID) authentication. Based on this review, the Commission determines that authentication and verification of caller ID information for Internet Protocol (IP) voice calls should be implemented by Canadian telecommunications service providers (TSPs) by no later than 31 March 2019 to empower Canadians to better protect themselves against nuisance calls. TSPs are required to report on their progress. The Commission requests that the CRTC Interconnection Steering Committee (CISC) submit a consolidated industry progress report to the Commission every six months, beginning six months from the date of this decision. The Commission also determines that the telecommunications industry should establish a Canadian administrator for the issuance of certificates that would be required for authentication and verification of IP-based voice calls. The Commission further determines that Canadian TSPs are to develop a call traceback process, and requests that CISC file a report regarding such a process with the Commission for its review and approval within nine months of the date of this decision. Once the Commission has reviewed the report, it will decide what further measures may be required, including whether to mandate TSPs’ participation in a call traceback process. The Commission is prepared to take further action if it becomes clear that the telecommunications industry is not taking sufficient measures to protect Canadians against nuisance calls.
Introduction 1. In Compliance and Enforcement and Telecom Regulatory Policy 2016-442, the Commission, among other things, found that Canadian consumers did not have access to sufficient technical solutions to protect themselves from nuisance calls.1 Accordingly, the Commission took steps to introduce measures to block all calls in Canada that contain blatantly illegitimate caller identification (caller ID) information. The Commission also clarified the terms under which telecommunications service providers (TSPs) could and should provide opt-in call filtering services that would intercept and redirect suspected nuisance calls on behalf of subscribers to those services. Those measures complement the rules for the National Do Not Call List, as well as the rules regarding telemarketing and the use of automatic dialing-announcing devices (ADADs) to make calls, collectively referred to as the Unsolicited Telecommunications Rules (UTRs), and are part of a layered approach, similar to that used in cybersecurity, with a range of choices of mitigating techniques, that provides the flexibility to respond to an evolving ever-changing threat. 2. The Commission notes that regulators2 and carriers in other jurisdictions have made significant efforts to reduce nuisance calls by using various measures and techniques, and that additional measures may be required to further reduce nuisance calls and to provide consumers with tools they can use to protect themselves. In this regard, the Commission noted in Compliance and Enforcement and Telecom Regulatory Policy 2016-442 that there had been significant developments regarding caller ID authentication since the close of the record of the proceeding that led to that decision, and indicated that it intended to launch a follow-up proceeding to further consider measures intended to mitigate caller ID spoofing.3 3. In January 2017, the Commission initiated this follow-up proceeding with the issuance of Compliance and Enforcement and Telecom Notice of Consultation 2017-4. In that notice, the Commission sought comments on measures intended to trace and identify the source of a nuisance call, as well as information and comments on 1 Nuisance calls refer to unsolicited telecommunications that are made in non-compliance with the Unsolicited Telemarketing Rules (UTRs). Unsolicited telecommunications that are in full compliance with the UTRs are not nuisance calls. 2 In the United States, a telecommunications industry Robocall Strike Force was launched in mid-2016 to examine ways to accelerate measures to combat nuisance calls, and the Federal Communications Commission (FCC) is conducting proceedings on call blocking and caller ID authentication/verification. In the United Kingdom, the Office of Communications (Ofcom) has mandated a number of carriers to participate in a call blocking process that updates call blocking lists on a regular basis. 3 Spoofing occurs when callers deliberately falsify their caller ID (i.e. telephone number) that is sent to called parties in order to disguise their true identity. Spoofing is often used as a means to fool called parties into divulging valuable personal information that can then be used for fraudulent or illegal purposes. It should be noted that there are instances where such number substitution is used for legal and legitimate purposes, such as doctors calling patients or calls from womens’ shelters.
• the implementation, use, and effectiveness of technical solutions to
authenticate caller ID information for wireline, wireless, and voice over
Internet Protocol (VoIP) networks in Canada;
• the implementation, use, and effectiveness of mechanisms to trace and identify
the source of a call;
• any barriers to implementation that would need to be addressed to facilitate
these solutions and mechanisms; and
• what regulatory measures, if any, that would need to be established to ensure
that Canadians have confidence in the displayed caller ID information.
4. The Commission received interventions from the following: the Alliance for
Telecommunications Industry Solutions (ATIS); Anthony Rutkowski; Bragg
Communications Incorporated, carrying on business as Eastlink; the Canadian Cable
Systems Alliance; the Canadian Internet Registry Authority (CIRA); the Canadian
Network Operators Consortium Inc.; Cogeco Communications Inc.; Comwave
Networks Inc; Distributel Communications Limited; Freedom Mobile Inc.; the
Incumbent Carriers Group (consisting of Bell Canada, Bell Mobility Inc., Télébec,
Limited Partnership, and Northwestel Inc.) [ICG]; the Independent
Telecommunications Providers Association (ITPA); Neustar Inc. (Neustar); Primus
Management ULC; Quebecor Media Inc., on behalf of Videotron Ltd. (Videotron);4
Rogers Communications Canada Inc. (RCCI); Shaw Telecom G.P. (Shaw); TBayTel;
TekSavvy Solutions Inc.; and the Canadian VoicePeering Project (VoicePeering).
5. Based on the record of this proceeding, the Commission has identified the following
issues to be addressed in this decision:
• Are there technical solutions, and what are the appropriate regulatory
measures, if any, to re-establish trust in caller ID information?
• Are there mechanisms, and what are the appropriate regulatory measures, if
any, for determining the origins of nuisance calls?
Are there technical solutions, and what are the appropriate regulatory
measures, if any, to re-establish trust in caller ID information?
6. As caller ID spoofing provides anonymity, thereby facilitating illegal or fraudulent
activities, Canadians are growing increasingly weary of receiving nuisance calls.
Caller ID spoofing has become a significant problem with the introduction of VoIP
services as callers do not generally have the ability to alter the caller ID in legacy
4
In this proceeding, submissions were received from Videotron G.P. However, on 29 December 2017, all
of Videotron G.P.’s assets and operations were transferred to its affiliate, Videotron Ltd., and Videotron
G.P. was subsequently dissolved. For ease of reference, “Videotron Ltd.” is used in this decision.circuit-switched networks.5 Canadians are therefore no longer able to reliably trust
that the caller ID is authentic and they are therefore not always certain of who is
calling them. This impinges on the privacy of Canadians and exposes them to
potential harm.
7. The question before the Commission and the telecommunications industry is how to
re-establish consumer trust in the authenticity and veracity of caller ID.
8. The Internet Engineering Task Force (IETF)6 has developed a technical standard,
referred to as STIR7 that would provide a means for call-originating TSPs to certify
the identity of callers, thus enabling the caller’s identity to be validated. In
conjunction with STIR, ATIS has developed a framework, referred to as SHAKEN,8
for the implementation of STIR in IP-based service providers’ networks.
9. Pursuant to STIR/SHAKEN, TSPs certify the extent to which a given caller’s identity
can be trusted. This information is transmitted using “tokens” and is used by the
called party, or their TSP, to verify the authenticity of the caller ID (i.e. determine the
extent to which the caller ID can be trusted). This process is dependent upon one or
more central authorities that administer(s) and issue(s) certificates to TSPs.
Positions of parties
10. RCCI noted that over 90% of voice telephone traffic in Canada provides fully
authenticated and attested caller ID, and contended that the introduction of
STIR/SHAKEN for this type of voice traffic would be redundant. RCCI further
suggested, as a possible near-term alternative to STIR/SHAKEN, that the
Commission could require TSPs to attest or certify the caller ID of each telephone
call originator. RCCI noted, however, that it would be difficult to impose such a
requirement on users of private branch exchanges (PBXs), and also noted that this
alternative does not address the authenticity of caller ID information for calls
originating from abroad and terminating in Canada.
11. The ICG agreed with RCCI and other parties that spoofed calls do not generally
originate from Canadians TSPs. However, the ICG disagreed with RCCI’s interim
solution and supported the implementation of STIR/SHAKEN given that, in the
absence of STIR/SHAKEN, called parties (or their TSP) would be without
information on the validity of the caller ID, and would therefore be unable to
distinguish between legitimate calls (e.g. calls from trusted Canadian TSPs) and
5
There are some exceptions where the caller information is provided at other than the network level. These
are for calls from private branch exchanges (PBXs) and primary rate interfaces (PRIs) use in Integrated
Services Digital Network (ISDN) services.
6
The IETF is an international body that develops standards for the IP suite; namely Transmission Control
Protocol/Internet Protocol (TCP/IP).
7
STIR stands for Secure Telephony Information Revisited.
8
SHAKEN stands for Signature-based Handling of Asserted Information using toKENs.illegitimate calls (e.g., calls from foreign sources with spoofed caller ID to look like
they originated from trusted Canadian TSPs).
12. TSPs and other parties generally recognized that STIR/SHAKEN could be deployed,
in the future, to restore Canadians’ trust in caller ID.
13. VoicePeering offered to establish a Canadian test bed for STIR/SHAKEN;
CIRA supported this suggestion. Shaw noted that it intends to participate in the
U.S. STIR/SHAKEN trial being conducted by Neustar and ATIS.
14. Parties generally agreed that a Canadian entity would be required to administer and
issue certificates to TSPs if STIR/SHAKEN standards were to be implemented in
Canada. CIRA indicated that it could fulfill this function. Other parties suggested that
this function could be fulfilled by the Canadian Numbering Administration
Consortium (CNAC) or the Canadian Local Number Portability Consortium
(CLNPC), as an extension of their existing mandate. It was further suggested that a
technical approach similar to that used for HTTPS/DNS9 in the Internet domain could
be used.
15. However, TSPs generally expressed the view that it is premature to deploy the
STIR/SHAKEN technology, or to provide detailed comments on its operation and
effectiveness, given that STIR/SHAKEN and the subordinate standards have yet to be
finalized and incorporated into other industry organizations’ standards, such as those
developed by GSMA,10 3GPP, 11 and CableLabs.
16. TSPs also indicated that there is no existing equipment to support the deployment of
STIR/SHAKEN, and that compatible network equipment for IP-based networks
would generally be available by 2020. TSPs further noted that STIR/SHAKEN could
not be deployed on legacy circuit-switched networks due to the lack of vendor
support for the underlying equipment.
17. TSPs argued that a broad implementation of STIR/SHAKEN, both in Canada and
worldwide, would be required for this technology to be effective. It was also noted
that TSPs may not consistently implement the tiered approach for assigning a level of
trust in caller ID, as contemplated by SHAKEN, and that an inconsistent approach
would ultimately erode the utility of deploying this technology.
18. Parties also noted that handset manufacturers would need to implement
STIR/SHAKEN so that devices are capable of displaying information regarding the
authenticity and veracity of caller ID information in order for consumers to gain the
benefits of STIR/SHAKEN. Parties noted, however, that this information will only be
9
Hypertext Transfer Protocol Secure (HTTPS) encrypts data before it is sent over the Internet, and Domain
Name System (DNS) is the way that Internet domain names are located and translated into IP addresses.
10
GSMA stands for GSM Association.
11
3GPP stands for 3rd Generation Partnership Project.able to be displayed on IP and wireless (IMS/VoLTE12enabled) phones. The view was
also expressed that a consumer education or outreach program may be required to
ensure that Canadians can effectively determine the extent to which they could trust
caller ID information.
19. Parties noted that STIR/SHAKEN do not yet support calling name display (CNAM)
authentication, and that if this capability is to be incorporated into these standards,
there will need to be a unique Canadian CNAM specification, as this information is
provided differently in Canada than in the United States. In the United States, CNAM
is provided by a look-up to separate databases, while in Canada this information is
provided by the originating network. Parties indicated that this in itself is a serious
problem, as it might not be addressed by equipment vendors.
20. The ITPA, supported by TBayTel, stated that it is too early to consider the
implementation of STIR/SHAKEN in Canada, since small service providers, such as
the small incumbent local exchange carriers (ILECs) and others, would be unable to
fully participate in any CRTC Interconnection Steering Committee (CISC)13 process
at this point due to resource limitation.
21. Parties generally indicated that it would be premature to impose regulatory measures
to expedite the implementation of STIR/SHAKEN.
Commission’s analysis and determinations
22. The Commission reiterates that a layered approach is required to reduce nuisance
calls received by Canadians. In addition to the measures it has already taken to protect
the privacy of Canadians, the Commission considers it imperative to restore
Canadians’ trust in caller ID information.
23. It is not feasible to prevent caller ID spoofing that primarily originates from VoIP
services given that these services are not provided within a closed, managed
environment. Accordingly, the Commission considers that consumers must be
provided with a means of determining the authenticity and veracity of a caller’s
identity to determine the extent to which they trust that information.
24. The Commission considers that STIR/SHAKEN is likely the only current viable
solution that can provide consumers with a measure of additional trust in caller ID.
The Commission further considers that STIR/SHAKEN will increase the
effectiveness of opt-in call filtering solutions and network-level blocking of nuisance
calls with blatantly illegitimate caller ID.
12
IP Multimedia Subsystem/Voice over Long Term Evolution
13
CISC is an industry working group with a mandate to undertake tasks related to technical, administrative,
and operational issues on matters assigned by the Commission or originated by the public, that fall within
the Commission’s jurisdiction.25. While spoofed calls primarily originate from VoIP services, customers on all types of
networks are bothered by nuisance calls. The Commission recognizes that it is not
possible to deploy STIR/SHAKEN on legacy circuit-switched networks given that the
associated equipment is no longer vendor-supported. However, the Commission
considers this to be a diminishing concern as
• ILEC networks are migrating to IP-based network technologies;
• circuit-switched mobile networks are converting to VoLTE, which is
dependent on an IP-based core;
• almost all cable and competitive local exchange carrier networks are already
IP-based or will soon be; and
• many TSPs already exchange traffic over IP interconnections.
26. Notwithstanding the foregoing, the Commission expects TSPs to develop and
implement solutions, to the largest extent possible, that will extend the benefits of
STIR/SHAKEN to legacy circuit-switched and other non-IP networks, as well as the
associated handsets.
27. It is expected that STIR/SHAKEN and the subordinate standards will be completed in
2018. The Commission expects Canadian TSPs to be actively involved in the
development of these standards and the testing of the equipment that is developed
based upon these standards to ensure that unique Canadian requirements are
incorporated. While the initial release of these standards may not include provisions
to ensure the authenticity and veracity of CNAM, the Commission considers that this
would not prevent TSPs from deploying STIR/SHAKEN to restore trust in calling
numbers.
28. The Commission notes that North American telecommunications networks are highly
integrated and employ many of the same technologies and methodologies. It is
therefore noteworthy that the Federal Communications Commission (FCC) in the
United States is actively exploring the use of STIR/SHAKEN as part of measures to
reduce nuisance calls in that country.
29. The Commission considers that Canadian TSPs should be able to develop and
implement solutions based on STIR/SHAKEN by no later than 31 March 2019.
30. The Commission agrees with the parties that participated in the proceeding that a
Canadian administrator should be established to issue and administer certificates in
support of STIR/SHAKEN. The Commission further notes that the
telecommunications industry has successfully established consortia and other
governing bodies to accomplish similar goals, and that the industry is therefore well
placed to establish a Canadian certificate administrator..31. Accordingly, the Commission expects, by 31 March 2019, that
• TSPs will implement measures to authenticate and verify caller ID for all
IP-based voice calls; and
• the telecommunications industry will establish a Canadian certificate
administrator.
32. In order to monitor the industry’s progress, TSPs are required to submit to CISC a
report every six months, beginning six months after the date of this decision, on their
efforts and progress in implementing authentication/verification measures for caller
ID. The Commission requests that CISC consolidate the TSP reports into a single
report to be submitted to the Commission. The TSP and CISC reports are to include
the following information:
• the status of TSPs’ readiness in terms of network changes, if any;
• the status and results of equipment testing and participation in those tests; and
• statistics identifying
o the percentage of authentication/verification enabled trunks used for
IP voice traffic to the total number of voice trunks;
o the percentage by month of the number of authenticated/verified voice
calls to total number of voice calls; and
o tracking by the level of authentication (i.e. trusted, partial trust, no trust)
for calls delivered to customers.
33. In addition, the CISC report should also include
• the status of authentication/verification standards, such as STIR/SHAKEN and
their subordinate standards, and any other related standards; and
• identification of Canadian specific requirements in the standards and the
efforts that are being taken to incorporate these requirements into the
appropriate standards.
34. The Commission notes that if it is not satisfied with the industry’s progress in
implementing authentication/verification measures for voice calls, it may consider
imposing regulatory measures to ensure that consumers have the tools they need to
protect themselves from nuisance calls.Are there mechanisms, and what are the appropriate regulatory measures,
if any, for determining the origins of nuisance calls?
35. As a result of caller ID spoofing, the telephone number displayed on a consumer’s
Call Display cannot always reliably be used to determine the originating point of
nuisance calls. When caller ID is spoofed, the only way to determine a call’s origin is
to trace the path that a call travelled from the end-point to the originating point. This
path can involve a number of different networks.
Positions of parties
36. Parties to the proceeding generally did not support the implementation of a call
traceback process. In particular, the ICG suggested that, at this time, efforts would be
better spent on call filtering services and authentication processes.
37. In the event that a call traceback process is implemented, the ICG advised against a
retail level (i.e. consumer-initiated) traceback process as it would create false
expectations for consumers that nuisance calls would cease. The ICG also noted that
new tariff provisions would be needed for a call traceback service. In addition, the
ICG indicated that the Commission would need to create a condition under sections
24 and 24.1 of the Telecommunications Act (the Act) compelling all TSPs to
co-operate in call traceback activities.
38. RCCI noted that the Commission would need to develop enforcement procedures in
order to act on the results of call tracebacks.
39. RCCI, Shaw, and Videotron suggested that this matter should be referred to CISC to
develop a detailed methodology for tracing calls in a multi-network environment.
Commission’s analysis and determinations
40. The Commission notes that it has the authority to request information from TSPs as
part of investigations into alleged non-compliance with the UTRs. The Commission
notes, however, that the efficiency and effectiveness of its efforts to trace the origins
of nuisance calls is hindered by the lack of a standardized process. In particular, the
current approach
• is often lengthy in the absence of agreed-upon service standards and given that
it involves manual processes that may rely on multiple individuals within a
given TSP;
• may raise concerns regarding the information to be shared, including personal
information; and
• may not be successful, even for calls that originate in Canada, if Canadian
TSPs do not retain records of call routing details for a sufficient period of
time.41. The Commission further notes that TSPs already co-operate, in certain instances, to
trace the origins of nuisance or malicious calls on their networks. However, this
collaborative approach is dependent upon the sharing of information between TSPs
on a voluntary basis. If TSPs refuse to co-operate when requested by another TSP, the
traceback terminates at that point.
42. The call traceback process contemplated in Compliance and Enforcement and
Telecom Notice of Consultation 2017-4 would be available for use by TSPs and the
Commission to determine the source of nuisance calls. The Commission did not
contemplate that this process and call traceback results would be available to retail
customers directly given, among other things, the burden that this would place on
TSPs. In this regard, the Commission also reiterates, in the case of harassing or
threatening calls, that consumers have access to a pay-per-use Call Trace feature by
dialing a code on their phone, which records information regarding the last call they
received for review by the appropriate law enforcement agencies.14
43. The Commission notes that a national standardized call traceback process has been
established in the United Kingdom15 and a similar initiative is being contemplated in
the United States.16 The Commission is of the view that for a call traceback process to
function properly, it requires the co-operation and participation of all TSPs.
44. The Commission considers that a standardized industry-wide call traceback process is
needed in order to determine the origin of nuisance calls. This will enable corrective
actions to be taken at or close to the source of these calls, thereby reducing the
volume of nuisance calls and further protecting the privacy of Canadians.
45. In light of all of the above, the Commission requests that CISC develop an
industry-wide call traceback process and file a report regarding such a process with
the Commission within nine months from the date of this decision for Commission
review and approval. The report should include the following:
• a list of the specific and detailed information required by all parties to
complete a call traceback, and that must be shared to trace the origin of a call;
• a description of the roles and responsibilities of all parties involved in call
traceback;
• a description of the steps that have been taken, will be taken, or could be taken
to automate the call traceback process to the largest extent possible; and
• service standards regarding the timeliness for sharing information between
parties, and guidelines for the retention of call detail records.
14
The Call Trace feature only records information held by the terminating carrier.
15
Refer to the guidelines established by the Network Interoperability Consultative Committee (NICC) for a
telecommunications industry call traceback process.
16
Refer to the report prepared by the Robocall Strike Force that was filed with the FCC on
26 October 2016.46. Once the Commission has received and reviewed the report, it will decide what
further measures may be necessary, including whether to mandate TSPs’ participation
in a call traceback process.
Policy Direction
47. The Policy Direction17 states that the Commission, in exercising its powers and
performing its duties under the Act, shall implement the policy objectives set out in
section 7 of the Act in accordance with paragraphs 1(a), (b), and (c) of the Policy
Direction.
48. The policy objectives set out in paragraphs 7(a), (b), (f), (g), (h), and (i)18 of the Act
are advanced by the determinations in this decision.
49. Consistent with subparagraph 1(a)(ii) of the Policy Direction, the Commission’s
determinations in this decision
• are efficient and proportionate to their purpose, given that they are targeted to
o reducing false caller ID information provided to Canadians so that they are
able to take the appropriate actions in responding to incoming calls; and
o reducing nuisance calls to Canadians by being able to determine the source
of these types of calls so that the appropriate action can be taken to
prevent these calls from being made in the future; and
• interfere with the operation of competitive market forces to the minimum
extent necessary to meet policy objectives by providing flexibility to the
industry to develop and deploy protective measures that best meet the needs
and circumstances of both the industry and its subscribers.
50. Consistent with subparagraph 1(b)(iii) of the Policy Direction, the Commission’s
determinations in this decision are symmetrical and competitively neutral given that
they apply broadly to the entire industry.
Secretary General
17
Order Issuing a Direction to the CRTC on Implementing the Canadian Telecommunications Policy
Objectives, P.C. 2006-1534, 14 December 2006
18
The cited policy objectives of the Act are 7(a) to facilitate the orderly development throughout Canada of
a telecommunications system that serves to safeguard, enrich and strengthen the social and economic fabric
of Canada and its regions; (b) to render reliable and affordable telecommunications services of high quality
accessible to Canadians in both urban and rural areas in all regions of Canada; (f) to foster increased
reliance on market forces for the provision of telecommunications services and to ensure that regulation,
where required, is efficient and effective; (g) to stimulate research and development in Canada in the field
of telecommunications and to encourage innovation in the provision of telecommunications services; (h) to
respond to the economic and social requirements of users of telecommunications services; and (i) to
contribute to the protection of the privacy of persons.Related documents
• Measures to reduce caller identification spoofing and to determine the origins of
nuisance calls, Compliance and Enforcement and Telecom Notice of Consultation
CRTC 2017-4, 9 January 2017; as amended by Compliance and Enforcement and
Telecom Notice of Consultation CRTC 2017-4-1, 2 February 2017
• Empowering Canadians to protect themselves from unwanted unsolicited and
illegitimate telecommunications, Compliance and Enforcement and Telecom
Regulatory Policy CRTC 2016-442, 7 November 2016You can also read
